| Bram Bonne | b93f26f | 2022-03-15 18:28:02 +0100 | [diff] [blame] | 1 | ### |
| 2 | ### SDK Sandbox process. |
| 3 | ### |
| 4 | ### This file defines the security policy for the sdk sandbox processes. |
| 5 | |
| Lokesh Gidra | 1269a17 | 2022-08-01 17:20:38 +0000 | [diff] [blame] | 6 | type sdk_sandbox, domain; |
| 7 | |
| 8 | typeattribute sdk_sandbox coredomain; |
| 9 | |
| 10 | net_domain(sdk_sandbox) |
| 11 | app_domain(sdk_sandbox) |
| 12 | |
| Sandro | d055352 | 2022-10-04 12:52:09 +0000 | [diff] [blame] | 13 | # TODO(b/252967582): remove this rule if it generates too much logs traffic. |
| 14 | auditallow sdk_sandbox { |
| 15 | property_type |
| 16 | # remove expected properties to reduce noise. |
| 17 | -servicemanager_prop |
| 18 | -hwservicemanager_prop |
| 19 | -use_memfd_prop |
| 20 | -binder_cache_system_server_prop |
| 21 | -graphics_config_prop |
| 22 | -persist_wm_debug_prop |
| 23 | -aaudio_config_prop |
| 24 | -adbd_config_prop |
| 25 | -apex_ready_prop |
| 26 | -apexd_select_prop |
| 27 | -arm64_memtag_prop |
| 28 | -audio_prop |
| 29 | -binder_cache_bluetooth_server_prop |
| 30 | -binder_cache_telephony_server_prop |
| 31 | -bluetooth_config_prop |
| 32 | -boot_status_prop |
| 33 | -bootloader_prop |
| 34 | -bq_config_prop |
| 35 | -build_odm_prop |
| 36 | -build_prop |
| 37 | -build_vendor_prop |
| 38 | -camera2_extensions_prop |
| 39 | -camera_calibration_prop |
| 40 | -camera_config_prop |
| 41 | -camerax_extensions_prop |
| 42 | -codec2_config_prop |
| 43 | -config_prop |
| 44 | -cppreopt_prop |
| 45 | -dalvik_config_prop |
| 46 | -dalvik_prop |
| 47 | -dalvik_runtime_prop |
| 48 | -dck_prop |
| 49 | -debug_prop |
| 50 | -debuggerd_prop |
| 51 | -default_prop |
| 52 | -device_config_memory_safety_native_prop |
| 53 | -device_config_nnapi_native_prop |
| 54 | -device_config_runtime_native_boot_prop |
| 55 | -device_config_runtime_native_prop |
| 56 | -dhcp_prop |
| 57 | -dumpstate_prop |
| 58 | -exported3_system_prop |
| 59 | -exported_config_prop |
| 60 | -exported_default_prop |
| 61 | -exported_dumpstate_prop |
| 62 | -exported_pm_prop |
| 63 | -exported_system_prop |
| 64 | -ffs_config_prop |
| 65 | -fingerprint_prop |
| 66 | -framework_status_prop |
| 67 | -gwp_asan_prop |
| 68 | -hal_instrumentation_prop |
| 69 | -hdmi_config_prop |
| 70 | -heapprofd_prop |
| 71 | -hw_timeout_multiplier_prop |
| 72 | -init_service_status_private_prop |
| 73 | -init_service_status_prop |
| 74 | -libc_debug_prop |
| 75 | -lmkd_config_prop |
| 76 | -locale_prop |
| 77 | -localization_prop |
| 78 | -log_file_logger_prop |
| 79 | -log_prop |
| 80 | -log_tag_prop |
| 81 | -logd_prop |
| 82 | -media_config_prop |
| 83 | -media_variant_prop |
| 84 | -mediadrm_config_prop |
| 85 | -module_sdkextensions_prop |
| 86 | -net_radio_prop |
| 87 | -nfc_prop |
| 88 | -nnapi_ext_deny_product_prop |
| 89 | -ota_prop |
| 90 | -packagemanager_config_prop |
| 91 | -pan_result_prop |
| 92 | -permissive_mte_prop |
| 93 | -persist_debug_prop |
| 94 | -pm_prop |
| 95 | -powerctl_prop |
| 96 | -property_service_version_prop |
| 97 | -radio_control_prop |
| 98 | -radio_prop |
| 99 | -restorecon_prop |
| 100 | -rollback_test_prop |
| 101 | -sendbug_config_prop |
| 102 | -setupwizard_prop |
| 103 | -shell_prop |
| 104 | -soc_prop |
| 105 | -socket_hook_prop |
| 106 | -sqlite_log_prop |
| 107 | -storagemanager_config_prop |
| 108 | -surfaceflinger_color_prop |
| 109 | -surfaceflinger_prop |
| 110 | -system_prop |
| 111 | -system_user_mode_emulation_prop |
| 112 | -systemsound_config_prop |
| 113 | -telephony_config_prop |
| 114 | -telephony_status_prop |
| 115 | -test_harness_prop |
| 116 | -timezone_prop |
| 117 | -usb_config_prop |
| 118 | -usb_control_prop |
| 119 | -usb_prop |
| 120 | -userdebug_or_eng_prop |
| 121 | -userspace_reboot_config_prop |
| 122 | -userspace_reboot_exported_prop |
| 123 | -userspace_reboot_log_prop |
| 124 | -userspace_reboot_test_prop |
| 125 | -vendor_socket_hook_prop |
| 126 | -vndk_prop |
| 127 | -vold_config_prop |
| 128 | -vold_prop |
| 129 | -vold_status_prop |
| 130 | -vts_config_prop |
| 131 | -vts_status_prop |
| 132 | -wifi_log_prop |
| 133 | -zygote_config_prop |
| 134 | -zygote_wrap_prop |
| 135 | -init_service_status_prop |
| 136 | }:file { getattr open read map }; |
| 137 | |
| Sandro | 692c3ad | 2022-09-14 11:58:21 +0000 | [diff] [blame] | 138 | # Allow finding services. This is different from ephemeral_app policy. |
| 139 | # Adding services manually to the allowlist is preferred hence app_api_service is not used. |
| 140 | |
| 141 | allow sdk_sandbox activity_service:service_manager find; |
| 142 | allow sdk_sandbox activity_task_service:service_manager find; |
| 143 | allow sdk_sandbox appops_service:service_manager find; |
| 144 | allow sdk_sandbox audio_service:service_manager find; |
| 145 | allow sdk_sandbox audioserver_service:service_manager find; |
| 146 | allow sdk_sandbox batteryproperties_service:service_manager find; |
| 147 | allow sdk_sandbox batterystats_service:service_manager find; |
| 148 | allow sdk_sandbox connectivity_service:service_manager find; |
| 149 | allow sdk_sandbox connmetrics_service:service_manager find; |
| 150 | allow sdk_sandbox deviceidle_service:service_manager find; |
| 151 | allow sdk_sandbox display_service:service_manager find; |
| 152 | allow sdk_sandbox dropbox_service:service_manager find; |
| 153 | allow sdk_sandbox font_service:service_manager find; |
| 154 | allow sdk_sandbox game_service:service_manager find; |
| 155 | allow sdk_sandbox gpu_service:service_manager find; |
| 156 | allow sdk_sandbox graphicsstats_service:service_manager find; |
| 157 | allow sdk_sandbox hardware_properties_service:service_manager find; |
| 158 | allow sdk_sandbox hint_service:service_manager find; |
| 159 | allow sdk_sandbox imms_service:service_manager find; |
| 160 | allow sdk_sandbox input_method_service:service_manager find; |
| 161 | allow sdk_sandbox input_service:service_manager find; |
| 162 | allow sdk_sandbox IProxyService_service:service_manager find; |
| 163 | allow sdk_sandbox ipsec_service:service_manager find; |
| 164 | allow sdk_sandbox launcherapps_service:service_manager find; |
| 165 | allow sdk_sandbox legacy_permission_service:service_manager find; |
| 166 | allow sdk_sandbox light_service:service_manager find; |
| 167 | allow sdk_sandbox locale_service:service_manager find; |
| 168 | allow sdk_sandbox media_communication_service:service_manager find; |
| 169 | allow sdk_sandbox mediaextractor_service:service_manager find; |
| 170 | allow sdk_sandbox mediametrics_service:service_manager find; |
| 171 | allow sdk_sandbox media_projection_service:service_manager find; |
| 172 | allow sdk_sandbox media_router_service:service_manager find; |
| 173 | allow sdk_sandbox mediaserver_service:service_manager find; |
| 174 | allow sdk_sandbox media_session_service:service_manager find; |
| 175 | allow sdk_sandbox memtrackproxy_service:service_manager find; |
| 176 | allow sdk_sandbox midi_service:service_manager find; |
| 177 | allow sdk_sandbox netpolicy_service:service_manager find; |
| 178 | allow sdk_sandbox netstats_service:service_manager find; |
| 179 | allow sdk_sandbox network_management_service:service_manager find; |
| 180 | allow sdk_sandbox notification_service:service_manager find; |
| 181 | allow sdk_sandbox package_service:service_manager find; |
| 182 | allow sdk_sandbox permission_checker_service:service_manager find; |
| 183 | allow sdk_sandbox permission_service:service_manager find; |
| 184 | allow sdk_sandbox permissionmgr_service:service_manager find; |
| 185 | allow sdk_sandbox platform_compat_service:service_manager find; |
| 186 | allow sdk_sandbox power_service:service_manager find; |
| 187 | allow sdk_sandbox procstats_service:service_manager find; |
| 188 | allow sdk_sandbox registry_service:service_manager find; |
| 189 | allow sdk_sandbox restrictions_service:service_manager find; |
| 190 | allow sdk_sandbox rttmanager_service:service_manager find; |
| 191 | allow sdk_sandbox search_service:service_manager find; |
| 192 | allow sdk_sandbox selection_toolbar_service:service_manager find; |
| 193 | allow sdk_sandbox sensor_privacy_service:service_manager find; |
| 194 | allow sdk_sandbox sensorservice_service:service_manager find; |
| 195 | allow sdk_sandbox servicediscovery_service:service_manager find; |
| 196 | allow sdk_sandbox settings_service:service_manager find; |
| 197 | allow sdk_sandbox speech_recognition_service:service_manager find; |
| 198 | allow sdk_sandbox statusbar_service:service_manager find; |
| 199 | allow sdk_sandbox storagestats_service:service_manager find; |
| 200 | allow sdk_sandbox surfaceflinger_service:service_manager find; |
| 201 | allow sdk_sandbox telecom_service:service_manager find; |
| 202 | allow sdk_sandbox tethering_service:service_manager find; |
| 203 | allow sdk_sandbox textclassification_service:service_manager find; |
| 204 | allow sdk_sandbox textservices_service:service_manager find; |
| 205 | allow sdk_sandbox texttospeech_service:service_manager find; |
| 206 | allow sdk_sandbox thermal_service:service_manager find; |
| 207 | allow sdk_sandbox translation_service:service_manager find; |
| 208 | allow sdk_sandbox tv_iapp_service:service_manager find; |
| 209 | allow sdk_sandbox tv_input_service:service_manager find; |
| 210 | allow sdk_sandbox uimode_service:service_manager find; |
| 211 | allow sdk_sandbox vcn_management_service:service_manager find; |
| 212 | allow sdk_sandbox webviewupdate_service:service_manager find; |
| 213 | |
| 214 | allow sdk_sandbox system_linker_exec:file execute_no_trans; |
| 215 | |
| Lokesh Gidra | 1269a17 | 2022-08-01 17:20:38 +0000 | [diff] [blame] | 216 | # Write app-specific trace data to the Perfetto traced damon. This requires |
| 217 | # connecting to its producer socket and obtaining a (per-process) tmpfs fd. |
| 218 | perfetto_producer(sdk_sandbox) |
| 219 | |
| 220 | # Allow profiling if the app opts in by being marked profileable/debuggable. |
| 221 | can_profile_heap(sdk_sandbox) |
| 222 | can_profile_perf(sdk_sandbox) |
| 223 | |
| 224 | # allow sdk sandbox to use UDP sockets provided by the system server but not |
| 225 | # modify them other than to connect |
| 226 | allow sdk_sandbox system_server:udp_socket { |
| 227 | connect getattr read recvfrom sendto write getopt setopt }; |
| 228 | |
| 229 | # allow sandbox to search in sdk system server directory |
| 230 | # additionally, for webview to work, getattr has been permitted |
| 231 | allow sdk_sandbox sdk_sandbox_system_data_file:dir { getattr search }; |
| 232 | # allow sandbox to create files and dirs in sdk data directory |
| 233 | allow sdk_sandbox sdk_sandbox_data_file:dir create_dir_perms; |
| 234 | allow sdk_sandbox sdk_sandbox_data_file:file create_file_perms; |
| Bram Bonne | b93f26f | 2022-03-15 18:28:02 +0100 | [diff] [blame] | 235 | |
| 236 | ### |
| 237 | ### neverallow rules |
| 238 | ### |
| 239 | |
| Bram Bonne | 078b43c | 2022-04-25 13:28:52 +0200 | [diff] [blame] | 240 | neverallow sdk_sandbox { app_data_file privapp_data_file sdk_sandbox_data_file }:file { execute execute_no_trans }; |
| Bram Bonne | b93f26f | 2022-03-15 18:28:02 +0100 | [diff] [blame] | 241 | |
| 242 | # Receive or send uevent messages. |
| 243 | neverallow sdk_sandbox domain:netlink_kobject_uevent_socket *; |
| 244 | |
| 245 | # Receive or send generic netlink messages |
| 246 | neverallow sdk_sandbox domain:netlink_socket *; |
| 247 | |
| 248 | # Too much leaky information in debugfs. It's a security |
| 249 | # best practice to ensure these files aren't readable. |
| 250 | neverallow sdk_sandbox debugfs:file read; |
| 251 | |
| 252 | # execute gpu_device |
| 253 | neverallow sdk_sandbox gpu_device:chr_file execute; |
| 254 | |
| 255 | # access files in /sys with the default sysfs label |
| 256 | neverallow sdk_sandbox sysfs:file *; |
| 257 | |
| 258 | # Avoid reads from generically labeled /proc files |
| 259 | # Create a more specific label if needed |
| 260 | neverallow sdk_sandbox proc:file { no_rw_file_perms no_x_file_perms }; |
| 261 | |
| 262 | # Directly access external storage |
| 263 | neverallow sdk_sandbox { sdcard_type media_rw_data_file }:file {open create}; |
| 264 | neverallow sdk_sandbox { sdcard_type media_rw_data_file }:dir search; |
| 265 | |
| 266 | # Avoid reads to proc_net, it contains too much device wide information about |
| 267 | # ongoing connections. |
| 268 | neverallow sdk_sandbox proc_net:file no_rw_file_perms; |
| 269 | |
| 270 | # SDK sandbox processes have their own storage not related to app_data_file or privapp_data_file |
| 271 | neverallow sdk_sandbox { app_data_file privapp_data_file }:dir no_rw_file_perms; |
| 272 | neverallow sdk_sandbox { app_data_file privapp_data_file }:file no_rw_file_perms; |
| 273 | |
| 274 | # SDK sandbox processes don't have any access to external storage |
| 275 | neverallow sdk_sandbox { media_rw_data_file }:dir no_rw_file_perms; |
| 276 | neverallow sdk_sandbox { media_rw_data_file }:file no_rw_file_perms; |
| 277 | |
| 278 | neverallow { sdk_sandbox } tmpfs:dir no_rw_file_perms; |
| Bram Bonne | 85dfe31 | 2022-03-23 17:48:48 +0100 | [diff] [blame] | 279 | |
| 280 | neverallow sdk_sandbox hal_drm_service:service_manager find; |
| Mohammad Samiul Islam | d2ffd35 | 2022-05-11 21:43:54 +0100 | [diff] [blame] | 281 | |
| 282 | # Only certain system components should have access to sdk_sandbox_system_data_file |
| 283 | # sdk_sandbox only needs search. Restricted in follow up neverallow rule. |
| 284 | neverallow { |
| 285 | domain |
| 286 | -init |
| 287 | -installd |
| Sanjana Sunil | 5630163 | 2022-05-20 11:24:32 +0000 | [diff] [blame] | 288 | -system_server |
| 289 | -vold_prepare_subdirs |
| 290 | } sdk_sandbox_system_data_file:dir { relabelfrom }; |
| 291 | |
| 292 | neverallow { |
| 293 | domain |
| 294 | -init |
| 295 | -installd |
| Mohammad Samiul Islam | d2ffd35 | 2022-05-11 21:43:54 +0100 | [diff] [blame] | 296 | -sdk_sandbox |
| 297 | -system_server |
| 298 | -vold_prepare_subdirs |
| Sanjana Sunil | 5630163 | 2022-05-20 11:24:32 +0000 | [diff] [blame] | 299 | -zygote |
| 300 | } sdk_sandbox_system_data_file:dir { create_dir_perms relabelto }; |
| Mohammad Samiul Islam | d2ffd35 | 2022-05-11 21:43:54 +0100 | [diff] [blame] | 301 | |
| 302 | # sdk_sandbox only needs to traverse through the sdk_sandbox_system_data_file |
| 303 | neverallow sdk_sandbox sdk_sandbox_system_data_file:dir ~{ getattr search }; |
| 304 | |
| 305 | # Only dirs should be created at sdk_sandbox_system_data_file level |
| 306 | neverallow { domain -init } sdk_sandbox_system_data_file:file *; |